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In this paper, we implement a revised pseudo random bit generator based on a 
rule-90 cellular automaton. For this purpose, we introduce a sequence matrix Hf^ with 
the aim of calculating the pseudo random sequences of bits employing the algorithm 
related to the automaton backward evolution. In addition, a multifractal structure of 
the matrix _ffjv is revealed and quantified according to the multifractal formalism. The 
latter analysis could help to disentangle what kind of automaton rule is used in the 
randomization process and therefore it could be useful in cryptanalysis. Moreover, the 
conditions are found under which this pseudo random generator passes all the statistical 
tests provided by the National Institute of Standards and Technology (NIST). 
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1. Introduction 

Random numbers constitute one of the main ingredients in a great number of ap- 
plications such as cryptography, simulation, games, sampling, and so on. Cellular 
automata (CA) offer a number of advantages over other methods as random number 
generators (RNG), such as algorithmic simplicity and easy hardware implementa- 
tion. In fact, CA are highly parallel and distributed systems which are able to 
perform complex computations. 

Over the last years, researchers have applied cellular automata in pseudo-random 
number generation (PRNG) 1 2 3 4 5^ These PRNGs must possess a number of 
properties if they are to be used for cryptographic application. The most important 
from this point of view are good results on standard statistical tests of randomness, 
computational efficiency, a long period, and reproducibility of the sequence In 
many encryption systems, PRNGs are used to get keys, which are generated from 
an initial seed, and they are reproducible if the same seed is used. 

Wolfram was the first to apply the one-dimensional elementary cellular automata 
(EGA) to obtain PRNGs He considered only the use of the rul e 30 in one dimen- 
sion with radius 1. Other authors have used non- uniform EGA I^ISMl^ where they 
have found that the quality of the latter PRNGs was better than the quality of 
Wolfram's system. 

Despite these works demonstrate an improvement in the quality of PRNGs, 
this study is devoted to an extension of the analysis of the evolutionary technique 
for getting PRNGs based on a uniform EGA with rule 90 ^21. Namely, we consider 
a modification of the generator producing PRGNs. The initial proposal has been 
never implemented and studied in terms of the sequence matrix H^, which is used 
here to generate recursively the pseudo random sequences. The time series of the 
row sums of the matrix are also analyzed within the multifractal formalism 
because they could be a possible useful feature for cryptanalysis of these types of 
PRNGs. In order to check the quality of this EGA-PRNG, the generated sequences 
are evaluated statistically by the NIST suite. The generated sequences, in length 
terms, pass all the statistical tests proposed by NIST. Our results suggest that this 
generator in its two versions that we discuss in the following fit naturally in the 
present digital communication systems and achieve high levels of performance. 

2. Elementary Cellular Automata 

The EGA can be considered as discrete dynamical systems that evolve in discrete 
time steps. The state space of a GA of size N is the set Q, = of all sequences of 
N cells that take values from — {0, 1, . . . , fc — 1}, where its evolution is defined 
by the repeated iteration of an evolution operator A : Z^ — )■ Z^. In this paper, 
we consider k = 2 where Z is the set of integers. An automaton state x G Zf has 
coordinates {x)i — Xi G Z2 with i G Z, and the automaton state at time t > is 
denoted by S Zf and its evolution is defined iteratively by the rule = A{x*). 
Starting from the initial state x'^ , the automaton generates the forward space-time 
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pattern x e Zj^^ with state (x)* = x* = reached at from x° after i e N 

time steps. N denotes the set of nonnegative integers. 

One can see that the time, space, and states of this system take only dis- 
crete values. The EGA considered evolves according to the local rule xl'^^ = 
xl, xl_^-^) = [x\_i + a;-]mod 2, which corresponds to the rule 90. The fol- 
lowing is the lookup table of rule 90. 



Number 


7 


6 


5 


4 


3 


2 


1 





Neighborhood 


111 


110 


101 


100 


Oil 


010 


001 


000 


Rule result 





1 





1 


1 





1 






The third row shows the future state of the cell if itself and its neighbors are in 
the arrangement shown above in the second row. In fact, a rule is numbered by the 
unsigned decimal equivalent of the binary expression in the third row. When the 
same rule is applied to update cells of EGA, such EGA are called uniform EGA; 
otherwise the EGA are called non-uniform or hybrids. It is important to observe 
that the evolution rules of EGA are determined by two main factors, the rule and 
the initial conditions. 

3. Pseudo Random Sequences Generator 

In Ref.m Mejia and Urias presented an ergodic and mixing transformation of binary 
sequences in terms of a cellular automaton, which is the main element of a pseudo- 
random generator number (PRGN). To implement numerically the PRGN in its 
basic form, we follow their algorithm, which is shown in Fig. [1] At first, the key 
generator requires two seeds, x = Xq^^, of N bits, and y = Xg, of (iV-f 1) bits, which 
are the input of function t = ft,(x, y). The seeds are x = {xi,X2,xj,, . . . ,XAr} and 
y = {yii 2/2, 1/3, • • ■ , yN+i\, and the first number generated of N bits is the sequence 
output of function h, t = x\ = {ii, ^3, • ■ • , ^Ar}- Now this sequence is feeding 
back to the input, which becomes the next value of x, and the previous value of x 
becomes the initial bits of the new y, where the missing bit is the least significant 
bit (LSB) of the previous y, which becomes the most significant bit (MSB) of this 
sequence, and the same procedure is iterated repeatedly. 

The previous description to compute the function t — /i(x, y) requires that the 
cellular automaton runs backwards in time as is depicted in Fig. [2] The symbol 
of a circled -|- represents a XOR gate and the connectivity of gates follows the 
automaton rule. However, this way to compute the pseudo-random sequences is not 
efficient since it requires the application of the local rule of the automaton at all 
points in a lattice of the order of N"^ , where TV is the number of bits considered 
in the generation process. Fig. |3] (a) shows a complete evolution in the lattice of 
the generator considered with iV = 31 bits, where the two left columns comprise 
the seed (x, y), the top row is the resulting pseudo random key sequence t, and 
the intermediate elementary computations are the rest. A clear dot represents a bit 
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value of 1, whereas a dark dot corresponds to a bit value of 0. 

To overcome this, Mejia and Urias formulated an efficient algorithm that 
gets rid of the intermediate variables and produces boolean expressions for the 
coordinates of the output sequence t = /i(x, y) in terms of the input (x, y). This 
algorithm offers a boolean representation of /i, without intermediate steps, in terms 
of some "triangles" in the underlying lattice. The pattern of triangles is observed in 
Fig. [31^ a). In fact, it is well known that the evolution of rule 90 has the appearance 
of a Sierpinski triangle when responding to an impulse, i.e., when the first row is 
all Os with a 1 in the center. 

We introduce now the sequence matrix Hn , which computes the pseudo-random 
sequences of N bits. This matrix has dimensions of {2N + 1) x (2A^-|- 1) and is formed 
by the matrices Hn-i and HMh^ which constitute the top and bottom parts of i?Ar, 
that is, H]\j = [Hn^ ; Hn,^). The matrix Hn^ has dimensions of iV x {2N+1) elements 
and it is generated initially from vectors v = [wi, 0, . . . , 0, • • ■ , 0] and w = 

[0, W2, 0, wn+1, 0, wn+3, 0], where the components wi, t;Ar+2, ^2, wat+i 
and ?«Ar-f3 have a value of 1, and N is the number of bits, i. e., v and w are 
vectors with (2iV + 1) elements. The vectors v and w constitute the two first rows 
of the matrix H^^ and the {N — 2) rows are generated applying an addition modulo 
2 operation of the two previous rows, with the elements of the previous row shifted 
to the right by one position. The matrix H^^, of dimensions {N + 1) x {2N + 1), 
has a simpler form, an identity matrix in the first 1) columns and zeros in the 
rest. For instance, for iV = 3 we have that the top and bottom matrices are 



Notice that Hpj^ computes the pseudo random key sequence, whereas Hpj^ the 
feedback sequence. Therefore, once selected the number N of bits of sequences, we 
can generate the pseudo random sequences of N bits with the help of the matrix 




(1) 



then the matrix is 




/l 
10 1 
10 10 
10 
10 
10 

yo 1 



1 o\ 
1 
1 



0/ 



(2) 



Ufc+1 = i/AfUfe, k = 



1,2,... 



(3) 
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where Ufc = [x y]-^ corresponds to the first inputs of function /i, and Ufc+i 
is composed by the next inputs of h; note that U^+i is formed by the generated 
pseudo random key and the feedback sequence. 

3.1. Modified generator 

As was pointed out in Ref. 12 a generating scheme consisting of three coupled trans- 
formations h is proposed to attain an asymptotically unpredictable generator under 
a random search attack. This proposal is shown in Fig. |4l and it is explained briefly. 
Inside the new generator two copies of the basic transformation h are iterated au- 
tonomously from their initial words generating two sequences, {p^}k>o and {q^}k>Q- 
The third copy, called the x-map, is iterated in a slightly different manner, the func- 
tion h in the cc-map is driven by the autonomous p-map and g-map according to 
= h{p^,q^). The three maps generate pseudo random sequences, but just the x 
sequence is released. In order to prevent predictability, the first two words are gen- 
erated, used and destroyed inside this key generator, therefore they are not available 
externally. Since the sequences and have a length of N bits, and the required 
inputs of the h transformation must be one of N bits and other of [N + 1) bits, 
the missing bit is obtained applying an addition modulo 2 operation between the 
two respective LSB's that become the MSB's of their respective previous inputs of 
maps. Of course, there exists different manners to generate this missing bit, but we 
consider this way. The above scheme has been just proposed, but it has not been 
implemented and studied in terms of the matrix sequence. The new pseudo-random 
keys are computed as 



(4) 



where X^r = - 
{Pi, ■ • ■ , 91, ■ • 



{xi, X2, . . . , xn}'^ , iJ/vfj is the top matrix of Hn, and Vat 
. . , qN+i}^ ■ For example, considering = 3, we have 





where we calculate pi and qi as it was explained above. Fig. [3] (b) shows the 
complete evolution of this modified generator for 31 bits, with the p-map on the left 
side, the g-map on the middle, and the x-map on the right side. 
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3.2. Multifractal properties of the matrix Hn 

Since the evolution of the sequence matrix Hn is based on the evohition of the CA 
rule 90, the structure of the patterns of bits of the latter are directly reflected in 
the structure of the entries of H]s[. There is recent liter ature on t he multifractal 
properties of cellular automata for some set of rules, see 1 ^11111^ 1 In Ref. [T31 we 
used the technique of detrended fluctuation analysis based on the discrete wavelet 
transform (WMF-DFA) to quantify the intrinsic multifractal behavior of the EGAs 
for rules 90, 105, and 150. 

Here, in the same spirit as in Ref.ll3| we analyze the sum of ones in the sequences 
of the rows of the matrix Hm with the db-4 wavelet, a wavelet function that belongs 
to the Daubechies family 

The results for two row sums, -^1023 and i?2047i are illustrated in Figs. [SJIHl 
We confirm the multifractality of both time series since we get a t spectrum with 
two slopes in both cases. The strength of the multifractality is roughly measured 
with the width Aa = amax — Qfmm of the parabolic singularity spectrum f{a) on 
the a axis. For the case of -ffio23 the width Aa/fj^jg = 1.16 — 0.212 = 0.948, and 
the most "frequent" singularity occurs at ctnifn^^g^a ~ 0.694, whereas for i?2047j 
^0:^2047 = 1-12 - 0.145 = 0.975, and amfH^o^ = OMS. We notice that both the 
strongest singularity, amin, and the weakest singularity, amax, are very similar as 
well as the most "frequent" singularity. These results are in a good agreement with 
those obtained in Ref. 13 for the rule 90, although the spectra of the top matrix 
present a slight shifting to the right. In fact, this behavior is more evident in the 
row signals of (Figs. [5][6] (c)), where their corresponding spectra (dotted points) 
are shown in Figs. [5][6] (f). 

4. Statistical Tests 

There are several options available for analyzing the randomness of the pseudo 
random bit generators. The four most popular options according to Ref. [TSl are the 
following: NIST suite of statistical tests, the DIEHARD suite of statistical tests, 
the Crypt-XS suite of statistical tests and the Donald Knuth's statistical test set. 

In this paper, we consider the NIST suite to analyze the generated pseudo ran- 
dom sequen ce keys. The main reason is that this suite has several appealing prop- 
erties HBUZI Yot instance, it is uniform, it is composed by a number of well known 
tests and, for all of them, an exhaustive mathematical treatment is available. In 
addition, the source code of all tests in the suite is public available and is regularly 
updated In fact, in Ref. fT6l is mentioned that the NIST suite may be useful as 
a first step in determining whether or not a generator is suitable for a particular 
cryptographic application. 

The NIST suite is a statistical package consisting of 15 tests that were de- 
veloped to test the randomness of (arbitrarily long) binary sequences produced by 
either hardware or software based cryptographic random or pseudo-random number 
generators. These tests focus on a variety of different types of non-randomness that 
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could exist in a sequence. Some tests are decomposable into a variety of subtests, 
and the 15 tests are listed in Table [T] 



Table 1. List of NIST Statistical Tests. 



Number 


Test name 


1 


The Frequency (Monobit) Test 


2 


Frequency Test within a Block 


3 


The Runs Test 


4 


Tests for the Longest-Run-of-Ones in a Block 


5 


The Binary Matrix Rank Test 


6 


The Discrete Fourier Transform (Spectral) Test 


7 


The Non-overlapping Template Matching Test 


8 


The Overlapping Template Matching Test 


9 


Maurer's "Universal Statistical" Test 


10 


The Linear Complexity Test 


11 


The Serial Test 


12 


The Approximate Entropy Test 


13 


The Cumulative Sums (Cusums) Test 


14 


The Random Excursions Test 


15 


The Random Excursions Variant Test 



For each statistical test, a set of P — values (corresponding to the set of se- 
quences) is produced. For a fixed significance level a, a certain percentage of 
P — values are expected to pass/fail the tests. For example, if the significance level 
is chosen to be 0.01 (i.e., a = 0.01), then about 1% of the sequences are expected to 
fail. A sequence passes a statistical test whenever the P — value > a and fails oth- 
erwise. For each statistical test, the proportion of sequences that pass is computed 
and analyzed accordingly. It is not sufficient to look solely at the acceptance rates 
and declare that the generator be random if they seem fine. If the test sequences are 
truly random, the P — values calculated are expected to appear uniform in [0, 1]. 

For the interpretation of test results, NIST has adopted two approaches, (1) the 
examination of the proportion of sequences that pass a statistical test and (2) the 
distribution of P — values to check for uniformity. 

• Proportions of the sequence passing the tests: For each test is computed the pro- 
portion of sequences that passes the tests. First, the range of acceptable propor- 
tions is determined using the confidence interval, which is defined as 

MsJ^, (6) 
V m 

where p — 1 — a, and m is the sample size. If the proportion falls outside of this 
interval, then there is evidence that the data is non-random. 

• Uniform Distribution of P ~ values: The distribution of P- values is examined to 
ensure uniformity. This may be visually illustrated using a histogram. It may be 
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also computed by means of a chi-square test (x^)j and the determination of a 
P — value of the P ~ values. The computation is as foUows: 



where fi is the number of P — values in the sub-interval i and m is the size of 
the sample, which is m = 100 for the present analysis. A P — value is calculated 
such that P — valuer — igamc(9/2, x^/2), where igamc(n,x) is the incomplete 
gamma function. If P — valuer > 0.0001, then the sequences can be considered 
to be uniformly distributed. 

4.1. Results of the NIST statistical test suite 

For the present statistical test, the two analyses described above are applied 
and evaluated to determine if the generated sequences are random or not. We 
have considered m = 100 samples of 10^ bit sequences, where each sequence has 
been generated from a randomly chosen seed, and the proportion must lie above 
0.960150(q; = 0.01) and P — valuer > 0.0001. In order to investigate the perfor- 
mance of the generator, we analyze the generated pseudo-random sequences for 
= 7, iV = 15 and iV = 31 bits, considering one and three transformations. 

4.1.1. Case of N = 7 bits 

In Figs. [7]l8] are shown the results from the NIST testing for = 7 bits for one 
and three transformations, respectively. We can observe that in this case there is a 
poor performance; the generated pseudo random sequences just passes some tests 
and are not uniformly distributed. 

4.1.2. Case of N ^ 15 hits 

Figs. [MTOl show the results for iV = 15 bits for one and three transformations, 
respectively. There is better performance that in the previous case. We can observe 
that using one transformation, the generator do not passes all tests, see Fig. [9l but 
it is uniformly distributed. 

4.1.3. Case of N = 31 bits 

In the last case. Figs. [TT]fT2l show the results for = 31 bits for one and three 
transformations, respectively. As we can see, all tests are passed using one and 
three transformations. 

5. Conclusions 

We have implemented and reviewed a pseudo-random number generator based on 
a rule-90 cellular automata. This generator in its basic form (using one transforma- 
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m ^2 




(7) 
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tion) , and its modified version (with three transformations) are analyzed by means 
of a sequence matrix Hj^. The intrinsic multifractal properties of the sequence ma- 
trix in the two versions of the generator are discussed having in mind their possible 
usage in cryptanalysis. In addition, the quality of the generated pseudo random 
sequences are evaluated using the NIST statistical tests. According to these tests, 
this PRNG can generate high-quality random numbers using one or three transfor- 
mations. It is worth noticing that the longer the length of the generated numbers 
the better is the quality of the random numbers we obtain. In other words, the 
generator will produce sequences of keys with a better quality as the size of keys 
is increased. The only case that fails to pass all the tests with one or three trans- 
formations is for TV = 7 bits. There are also some statistical problems for = 15 
bits using one transformation. We were able to obtain random sequences of 15 bits, 
without repeating, of period length 2^^ and 2^^^ using one and three transformations, 
respectively. These results are sufficient for many cryptographic applications. 
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(N+1) bits 



4 
I 



(N+1) bits 



(N+1) bits 



h 













Fig. 1. Basic form of the pseudo-random number generator. MSB and LSB correspond to the 
most significant bit and the least significant bit, respectively. 




Fig. 2. Generation of a pseudo-random key with input (x, y) and output t = ft{x, y). 
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Fig. 3. Complete backward evolution of the EGA to generate a random sequence of 31 bits with 
(a) one transformation according to Eq. Js}, and with (b) three transformations according to the 
modified generator given in Eq. Q. We display the sequences pjj, g^, and xj.. 



Seed 1 



Seed! 



(N-llbits 



Nbits 
^ MSB 



Nbits 
IVLSB ^ 
Ibit ( 

\ 

LSB 



MSB 

-nz 



(N-l) bits 



Fig. 4. A generating scheme consisting of three coupled transformations. 
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Fig. 5. (a) Time series of the row signal of -ffio23- Only the first 2® points are shown of the 
whole set of 2^" — 1 data points. Profiles of the row signal of {h)H^^ and (c) H^. (d) Generalized 
Hurst exponent h{q). (e) The t exponent, T{q) = qh{q) — 1. (f) The singularity spectrum /(o) = 



dq 



T{q). The calculations of the multifractal quantities h, t, and f{a) are performed with 



the wavelet-based WMF-DFA. Dotted points correspond to the row signal ol Hff. 
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Proportion of the sequences passing the tests. 
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Fig. 7. Proportions and P—valuesx corresponding to N = 7 bits and one transformation. Daslied 
line separates the success and failure regions. 
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Proportion of the sequences passing the tests. 




P - Values corresponding to each statistical test. 




Fig. 8. Proportions and P — valuesT corresponding to N = 7 bits and three transformations. 
Dashed line separates the success and failure regions. 
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Proportion of the sequences passing the tests. 
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Fig. 9. Proportions and P — valuesx corresponding to A'^ = 15 bits and one transformation. 
Dashed line separates the success and failure regions. 
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Fig. 10. Proportions and P — valuesT corresponding to A'^ = 15 bits and three transformations. 
Dashed line separates the success and failure regions. 
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Proportions of the sequences passing the tests 
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Fig. 11. Proportions and P — valuesT corresponding to Af = 31 bits and one transformation. 
Dashed line separates the success and failure regions. 
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Proportions of the sequences passing the tests 
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Fig. 12. Proportions and P — valuesT corresponding to A'^ = 31 bits and three transformations. 
Dashed line separates the success and failure regions. 
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